McAfee EPO
McAfee EPO normalizes McAfee EPO events and enables you to analyze the attack summary, threats, firewall activities, and attack severities using dashboards.
Package Details
The application consists of the following components:
-
Dashboard Packages
- LP_McAfee Antivirus Overview
- LP_McAfee Antivirus Activity
-
Normalization Packages
- LP_McAfee EPO Antivirus DB Generic
- LP_McAfee EPO XML
- LP_McAfee EPO Antivirus
- LP_McAfee EPO Antivirus DB
- LP_McAfee VSE
-
Label Package
- LP_McAfee EPO Antivirus DB
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Added Syslog Collector based Trellix McAfee log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. | KB-22688 | - |
Installation
To install McAfee EPO v5.1.0:
Case I: Syslog Collector
- Download the McAfee EPO package from the Download section in the Release Details table.
- Add McAfee EPO as a required device in LogPoint.
- Create a collection policy with the Syslog collector and an appropriate processing policy.
- Assign the policy to the device.
- Add the dashboard.
Case II: ODBC Fetcher
- Download the Trend Micro DB package from the Download section in the Release Details table..
- Add McAfee EPO as a required device in LogPoint.
- Configure ODBC fetcher. To learn more, go to the Configuring the ODBC Fetcher for McAfee EPO in the McAfee EPO v5.1.0 guide.
- Assign the policy to the device.
- Add the dashboard.
McAfee Dashboards
Supported Device
McAfee EPO
Log Formats
Expected Log Format Sample
McAfee EPO (Syslog Collector)
CEF
<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM
Expected Log Format Sample
McAfee EPO (ODBC Fetcher)
Semicolon-separated
"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134"; "DC014134";
"DC014134.DCCAT.DK" ;"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";
"2";"8.8.0.975.Wrk";"";
Expected Log Format Sample
McAfee EPO
XML
<29>May 12 01:11:44 XXXXX EPOEvents <?xml version="1.0" encoding="UTF-8"?><SCORData><MachineInfo><MachineName>ABC1234</MachineName><AgentGUID>{64c1dd34-f3bc-11e8-00ee-2XXXXXXXXXXX}</AgentGUID><IPAddress>1.1.1.1</IPAddress><OSName>Windows 8 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-120</TimeZoneBias><RawMACAddress>242ffa151533</RawMACAddress></MachineInfo><SCORSoftware ProductName="XYZ" ProductVersion="8.0.0" ProductFamily="Secure"><SCOREvent><EventID>20719</EventID><Severity>1</Severity><GMTTime>2022-05-12T13:11:17</GMTTime><SCORevent_name>WRITE_DENIED</SCORevent_name><SCORevt_id>20</SCORevt_id><SCORevt_type>EVT_CAT_TYPE_MAJOR</SCORevt_type><SCORevt_sink>7</SCORevt_sink><SCORseq_no>401234</SCORseq_no><SCORtime_stamp>1589289077527</SCORtime_stamp><SCORserver_state>0</SCORserver_state><SCORuser_name>NT AUTHORITY\SYSTEM</SCORuser_name><SCORprocess_name>C:\windows\abc\abc.exe</SCORprocess_name><SCORprocess_id>2408</SCORprocess_id><SCORfile_name>C:\Windows\abc\ABC.dll</SCORfile_name><SCORprocess_sha1>3342761485c5aed17bc5dabd34219e4cbf836b9b</SCORprocess_sha1><SCORprocess_md5>edf009f55cd092
8009c5c05780616e3d</SCORprocess_md5><SCORprocess_sha256>9bfa82f4c09461c3452b4edc5fd5de32e37d135ff4db3f6762b
706928ae1ed50</SCORprocess_sha256></SCOREvent></SCORSoftware></SCORData>#015
Package Details
The application consists of the following components:
-
Dashboard Packages
- LP_McAfee Antivirus Overview
- LP_McAfee Antivirus Activity
-
Normalization Packages
- LP_McAfee EPO Antivirus DB Generic
- LP_McAfee EPO XML
- LP_McAfee EPO Antivirus
- LP_McAfee EPO Antivirus DB
- LP_McAfee VSE
-
Label Package
- LP_McAfee EPO Antivirus DB
Enhancement
| Description | Issue ID | Reference ID |
|---|---|---|
| Renamed the severity field as severity_level in McAfeeEPOXMLCompiledNormalizer. | KB-10891 | 46765 |
| Updated LP_McAfee EPO XML to support events from McAfee ePolicy Orchestrator. | ||
| Added new signatures in the McAfeeEPODBCompiledNormalizer to normalize McAfee EPO Antivirus logs. | KB-10757 | 44911 |
Bug Fixes
The following issues are fixed:
|
Description
|
Issue ID
|
Reference ID
|
|---|---|---|
| Some McAfeeEPO logs were not normalized by LP_McAfee EPO XML. | KB-15680 | 62907 |
|
The analyzer_host, source_host, and destination_host fields were mapped to the host field. |
KB-15635 |
62489 |
|
The TargetUserName and UserName field were mapped to the user field. |
Installation
To install McAfee EPO v5.1.0:
Case I: Syslog Collector
- Download the McAfee EPO package from the Download section in the Release Details table.
- Add McAfee EPO as a required device in LogPoint.
- Create a collection policy with the Syslog collector and an appropriate processing policy.
- Assign the policy to the device.
- Add the dashboard.
Case II: ODBC Fetcher
- Download the Trend Micro DB package from the Download section in the Release Details table..
- Add McAfee EPO as a required device in LogPoint.
- Configure ODBC fetcher. To learn more, go to the Configuring the ODBC Fetcher for McAfee EPO in the McAfee EPO v5.1.0 guide.
- Assign the policy to the device.
- Add the dashboard.
McAfee Dashboards
Supported Device
McAfee EPO
Log Formats
Expected Log Format Sample
McAfee EPO (Syslog Collector)
CEF
<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM
Expected Log Format Sample
McAfee EPO (ODBC Fetcher)
Semicolon-separated
"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134"; "DC014134";
"DC014134.DCCAT.DK" ;"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";
"2";"8.8.0.975.Wrk";"";
Expected Log Format Sample
McAfee EPO
XML
<29>May 12 01:11:44 XXXXX EPOEvents <?xml version="1.0" encoding="UTF-8"?><SCORData><MachineInfo><MachineName>ABC1234</MachineName><AgentGUID>{64c1dd34-f3bc-11e8-00ee-2XXXXXXXXXXX}</AgentGUID><IPAddress>1.1.1.1</IPAddress><OSName>Windows 8 Workstation</OSName><UserName>SYSTEM</UserName><TimeZoneBias>-120</TimeZoneBias><RawMACAddress>242ffa151533</RawMACAddress></MachineInfo><SCORSoftware ProductName="XYZ" ProductVersion="8.0.0" ProductFamily="Secure"><SCOREvent><EventID>20719</EventID><Severity>1</Severity><GMTTime>2022-05-12T13:11:17</GMTTime><SCORevent_name>WRITE_DENIED</SCORevent_name><SCORevt_id>20</SCORevt_id><SCORevt_type>EVT_CAT_TYPE_MAJOR</SCORevt_type><SCORevt_sink>7</SCORevt_sink><SCORseq_no>401234</SCORseq_no><SCORtime_stamp>1589289077527</SCORtime_stamp><SCORserver_state>0</SCORserver_state><SCORuser_name>NT AUTHORITY\SYSTEM</SCORuser_name><SCORprocess_name>C:\windows\abc\abc.exe</SCORprocess_name><SCORprocess_id>2408</SCORprocess_id><SCORfile_name>C:\Windows\abc\ABC.dll</SCORfile_name><SCORprocess_sha1>3342761485c5aed17bc5dabd34219e4cbf836b9b</SCORprocess_sha1><SCORprocess_md5>edf009f55cd092
8009c5c05780616e3d</SCORprocess_md5><SCORprocess_sha256>9bfa82f4c09461c3452b4edc5fd5de32e37d135ff4db3f6762b
706928ae1ed50</SCORprocess_sha256></SCOREvent></SCORSoftware></SCORData>#015
Package Details
The application consists of the following components:
-
Dashboard Packages
- LP_McAfee Antivirus Overview
- LP_McAfee Antivirus Activity
-
Normalization Packages
- LP_McAfee EPO Antivirus DB Generic
- LP_McAfee EPO XML
- LP_McAfee EPO Antivirus
- LP_McAfee EPO Antivirus DB
- LP_McAfee VSE
-
Label Package
- LP_McAfee EPO Antivirus DB
Enhancement
A minor update has been done in the application’s normalizer for better signature handling.
Installation
Follow these steps to install the McAfee EPO v3.2.0 plugin:
Case I: Syslog Collector
- Download the McAfee EPO package from the Download section above.
- Add McAfee EPO as the required device in LogPoint.
- Create a collection policy with the Syslog collector and appropriate processing policy.
- Assign the policy to the device.
- Add the dashboard.
Case II: ODBC Fetcher
- Download the Trend Micro DB package from the Download section above.
- Add McAfee EPO as the required device in LogPoint.
- Configure ODBC fetcher with the details listed in the Configuration of Sources section.
- Assign the policy to the device.
- Add the dashboard.
Screenshots
Supported Device
The supported device of McAfee EPO with LogPoint in this configuration is:
- McAfee EPO
Log Formats
McAfee EPO (Syslog Collector)
Expected Log Format
CEF
Log Sample
<9>CEF:0|McAfee EPO|VirusScan Enterprise|8.8|1092|Solidcore<Test Send threat events to Syslog Server> alert|2|alertId=1092 alertName=Test Send threat events to Syslog Server alertType='File' class or access eventType=SolidcoreEvent host=LOGPOINT eventname=Anti-virus Standard Protection:Prevent remote creation of autorun files workflowid= eventTimestamp=06/03/13 08:38:36 UTC eventObject=H:\PROJECTS\ISFDY\BD DEFENSE\SALES\PROPOSALS\COUNTRY\EDGYPT\EGYPT FAC-M\OBSOLETE\RWM - MASS(TM) (D)\AUTORUN.INF eventProgramName= eventProgramUser=SYSTEM
McAfee EPO (ODBC Fetcher)
Expected Log Format
Semicolon-separated
Log Sample
"36172608";"2014-10-21 06:55:39.963000";"none";"none";"1119";"ops.update.end";"4";"2014-10-21 06:00:24";"None";"AutoUpdate";"none";"True";"SYSTEM";"jria";"DCCAT";"DC014134";"DC014134";"DC014134.DCCAT.DK";"10.11.0.82";"";"001f1639e203";"Windows 8.1";"Service Pack 1";"6.1";"7601";"Rom, normaltid";"None";"10.11.0.68";"None";"None";"None";"None";"1";"VirusScan Enterprise";"8.8";"5600.1067";"5600.1067";"7597.0000";"N/A";"5600.1067";"2";"8.8.0.975.Wrk";"";
Configuration of McAfee EPO (ODBC Fetcher)
- Driver: MSSQL2
- Port: 1433
- Database: Mcafee Database
- Username:
- Password:
- Incremental Key: A unique key used as a pointer to read data from the table. The default value is AutoID.
- Incremental Key Table: Table to which the incremental key belongs to. The default value is EPOEvents.
- New Line Separator: Used for cases that have newline characters embedded in the log entries. In other cases, this can be discarded.
- Query: This is used to fetch data from the table(s). The query may be simple or based on joins. The default query is:
SELECT [EPOEvents].[AutoID], [EPOEvents].[ReceivedUTC] as [timestamp], [EPOEvents].[ThreatName] as [signature], [EPOEvents].[ThreatType] as [threat_type], [EPOEvents].[ThreatEventID] as [signature_id], [EPOEvents].[ThreatCategory] as [category], [EPOEvents].[ThreatSeverity] as [severity_id], [EPOEvents].[DetectedUTC] as [detected_timestamp], [EPOEvents].[TargetFileName] as [file_name], [EPOEvents].[AnalyzerDetectionMethod] as [detection_method], [EPOEvents].[ThreatActionTaken] as [vendor_action], [EPOEvents].[ThreatHandled] as [threat_handled], [EPOEvents].[TargetUserName] as [target_user], [EPOComputerProperties].[UserName] as [user], [EPOComputerProperties].[DomainName] as [dest_nt_domain], [EPOEvents].[TargetHostName] as [dest_dns], [EPOEvents].[TargetHostName] as [dest_nt_host], [EPOComputerProperties].[IPHostName] as [fqdn], [dest_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOComputerProperties].[IPV4x] + 2147483648))),4,1))) ), [EPOComputerProperties].[SubnetMask] as [dest_netmask], [EPOComputerProperties].[NetAddress] as [dest_mac], [EPOComputerProperties].[OSType] as [os], [EPOComputerProperties].[OSServicePackVer] as [sp], [EPOComputerProperties].[OSVersion] as [os_version], [EPOComputerProperties].[OSBuildNum] as [os_build], [EPOComputerProperties].[TimeZone] as [timezone], [EPOEvents].[SourceHostName] as [src_dns], [src_ip] = ( convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),1,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),2,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),3,1)))+'.'+convert(varchar(3),convert(tinyint,substring(convert(varbinary(4),convert(bigint,([EPOEvents].[SourceIPV4] + 2147483648))),4,1))) ), [EPOEvents].[SourceMAC] as [src_mac], [EPOEvents].[SourceProcessName] as [process], [EPOEvents].[SourceURL] as [url], [EPOEvents].[SourceUserName] as [caller_user], [EPOComputerProperties].[IsPortable] as [is_laptop], [EPOEvents].[AnalyzerName] as [product], [EPOEvents].[AnalyzerVersion] as [product_version], [EPOEvents].[AnalyzerEngineVersion] as [engine_version], [EPOEvents].[AnalyzerEngineVersion] as [dat_version], [EPOProdPropsView_VIRUSCAN].[datver] as [vse_dat_version], [EPOProdPropsView_VIRUSCAN].[enginever64] as [vse_engine64_version], [EPOProdPropsView_VIRUSCAN].[enginever] as [vse_engine_version], [EPOProdPropsView_VIRUSCAN].[hotfix] as [vse_hotfix], [EPOProdPropsView_VIRUSCAN].[productversion] as [vse_product_version], [EPOProdPropsView_VIRUSCAN].[servicepack] as [vse_sp] FROM [EPOEvents] left join [EPOLeafNode] on [EPOEvents].[AgentGUID] = [EPOLeafNode].[AgentGUID] left join [EPOProdPropsView_VIRUSCAN] on [EPOLeafNode].[AutoID] = [EPOProdPropsView_VIRUSCAN].[LeafNodeID] left join [EPOComputerProperties] on [EPOLeafNode].[AutoID] = [EPOComputerProperties].[ParentID]
Support
If you have any queries or require assistance, please feel free to contact our support team:
Email: servicedesk@logpoint.com
Phone: +45 7060 6100
Best regards,
Please confirm is the instruction in the post is correct:
"Download the Trend Micro DB package from the customer site"
Since EPO uses does it not require MS SQL fetcher?
Please update this page to include a zip as seen here https://servicedesk.logpoint.com/hc/en-us/articles/115003783925